Azure Microsoft Defender Endpoint: How to Integrate or Stream Logs to Azure Log Analytics Workspace

Question

I'm having trouble finding articles on how to stream/connect logs from Microsoft Defender for Endpoint to a new Log Analytics Workspace in the same tenant. Most solutions I've found show Defender for Cloud, but we're using Microsoft Defender for Endpoint and need to send logs to a Log Analytics Workspace in the same tenant in Part 1, then to another LA workspace in another tenant for Part 2. I think Log Ingestion API could be the solution, but I'm looking for examples or usable tutorials. Can anyone share some information or advice?

Answer 1

Slightly old but these articles may help with some ideas: https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/blog-series-limitless-advanced-hunting-with-azure-data-explorer/ba-p/2328705
https://jeffreyappel.nl/export-microsoft-defender-for-endpoint-security-events-with-the-streaming-api/

Obviously the data is already in a custom Log Analytics workspace (but you can only access it from the portal which maybe an issue?).
You could also use Microsoft Sentinel as that has a native connector (called:"Microsoft Defender XDR" connector) to move data to another Workspace (even if you dont use Sentinel afterwards). https://learn.microsoft.com/en-us/defender-xdr/microsoft-sentinel-onboard